Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude users from service account values: a generic approach?

AL3Z
Builder
‎06-08-2023 03:04 AM

Hi,

I'm attempting to create a method to exclude users from service account values without excluding a particular service account. Is there a generic approach we can use to identify and exclude both existing and future service accounts?
How we could write the search for this use case.

Thanks..

Labels (4)
Labels
0 Karma
Reply

AL3Z
Builder
‎06-12-2023 08:10 AM

@richgalloway @PickleRick ,

What I need here is like in the event there is a OU=Service IDs ,OU=users,OU=computers exclude all the src_user from the OU=Service IDs only.

Thanks 



0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 09:40 AM

It would help to have a more defined set of requirements as well sample input and output, but perhaps this will help.

<<your search>>
| where NOT (OU="Service IDs" AND [ | inputlookup mylookup.csv | fields src_user | rename src_user as sAMAccountName | format ]

Adjust the fields and rename commands as necessary to match your fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-12-2023 09:46 AM

@richgalloway ,

Why we need lookup  table over here . I don't think we need it .Just I want to exclude all the service accounts from the OU="Service IDs" from an event.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 11:53 AM

You don't *need* a lookup.  You can put an exclude list directly in the SPL, but that may end up being more difficult to maintain.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-13-2023 03:20 AM

...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 07:46 AM

Apart from the redundant "4738" in the macro, this code looks like it should work.  How is it failing you?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-14-2023 08:12 AM

...

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-14-2023 10:59 AM

Debug the query by running the commands before the first | in a new query.  Verify the desired fields are present.  Add the commands up to the next | and verify the fields are still there.  Repeat the process until the fields disappear and you'll have found the source.  Post the details if you need help determining the cause.

---
If this reply helps you, Karma would be appreciated.
Reply

AL3Z
Builder
‎06-17-2023 12:05 AM

Hi , How we can xclude service account from this event.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{549549625-5488-43494-AHGBA-3E353B0328CEDQS0D}'/><EventID>4738</EventID><Version>0</Version><Level>0</Level><Task>13824</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2023-06-16T16:08:38.166868000Z'/><EventRecordID>668676978</EventRecordID><Correlation/><Execution ProcessID='656' ThreadID='6132'/><Channel>Security</Channel><Computer>swrfkeou09.am.win.cisco.com</Computer><Security/></System><EventData><Data Name='Dummy'>-</Data><Data Name='TargetUserName'>BP_william_son</Data><Data Name='TargetDomainName'>AM</Data><Data Name='TargetSid'>AM\BP_william_son</Data><Data Name='SubjectUserSid'>EC\EC_OktaGMSER$</Data><Data Name='SubjectUserName'>EC_OktaGMSER$</Data><Data Name='SubjectDomainName'>EC</Data><Data Name='SubjectLogonId'>0x7e3yd92a4</Data><Data Name='PrivilegeList'>-</Data><Data Name='SamAccountName'>-</Data><Data Name='DisplayName'>-</Data><Data Name='UserPrincipalName'>-</Data><Data Name='HomeDirectory'>-</Data><Data Name='HomePath'>-</Data><Data Name='ScriptPath'>-</Data><Data Name='ProfilePath'>-</Data><Data Name='UserWorkstations'>-</Data><Data Name='PasswordLastSet'>%%1794</Data><Data Name='AccountExpires'>-</Data><Data Name='PrimaryGroupId'>-</Data><Data Name='AllowedToDelegateTo'>-</Data><Data Name='OldUacValue'>0x15</Data><Data Name='NewUacValue'>0x10</Data><Data Name='UserAccountControl'>
%%2048
%%2050</Data><Data Name='UserParameters'>-</Data><Data Name='SidHistory'>-</Data><Data Name='LogonHours'>-</Data></EventData></Event>

0 Karma
Reply

AL3Z
Builder
‎06-15-2023 11:17 AM

Here OU is multi value field.

0 Karma
Reply

AL3Z
Builder
‎06-13-2023 08:28 PM

@richgalloway 

Any suggestions on this usecase

Thanks 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-11-2023 12:23 PM

Just use a lookup which lists all accounts to exclude.

0 Karma
Reply

AL3Z
Builder
‎06-11-2023 07:55 PM

Hi,

What if we get the future service accounts?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-12-2023 06:20 AM

Update the lookup file as new service accounts are added or removed.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

AL3Z
Builder
‎06-11-2023 10:41 AM

Hi

Any idea 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...